So there is no totally accepted placement here, but I'm of the mind and I believe Cisco is as well, that your IDS is best after your edge router (inside of it) rather than outside. You don't want your IDS busy tracking all that worthless traffic out there, you only want it to see the stuff your firewall isn't blocking.

Missing from your diagram is other UTM functions like Network AV or Web Proxy, those would potentially be inline between the router and the switch as well. Not always, but optionally.

Yeah, I understand what you are saying about having each role of the UTM broken out into separate products and that makes sense and I can see how having the option of a system that "does it all" would be appealing to companies. Let's say I wanted to do that. What would I have to do?

The first decision point is.... do you really get value from security features beyond those of a good firewall?

I understand the no need for UTM to block stuff as most routers will do it. But what about things like content filtering? How do you block unwanted websites being accesed?

Yeah that's something I was wondering too but it really comes down to just another service either through a separate appliance on the edge of the network or role enabled somewhere else such on as end-point AV. We use Trend WFBSS where I work and we can do DNS white-listing through that, but it is ideal to have it at the firewall in the event that some device isn't running the Trend AV agent. So yeah, I would have it on the edge, preferably.

Yeah, I understand what you are saying about having each role of the UTM broken out into separate products and that makes sense and I can see how having the option of a system that "does it all" would be appealing to companies. Let's say I wanted to do that. What would I have to do?

The first decision point is.... do you really get value from security features beyond those of a good firewall?

If yes, then which ones specifically?

Then you'd find ways to get those specific features.

BTW, what would be a good firewall anyway? Like every time I look up firewall, all I find is UTM

@dave247 I never recommend a UTM. If you are going to go UTM, then go Palo Alto.

SonicWall is crap. Sophos and Watchguard are meh.

Same advice here. Avoid UTMs nearly always (there are exceptions, but not that many), but when you need one, the you need one that is really good and that's Palo Alto. These cheesy cheap UTMs just don't cut it. They don't do that much, but cost way too much for what they do.

Not disagreeing but I'm looking for some real life examples. Simply saying one is crap or cheap, or better from a top level when others are more expensive or less expensive (I know, price not relevant for quality) doesn't cut it.

What's a real life scenario where SonicWall is crap and Palo alto wins?

@dave247 I never recommend a UTM. If you are going to go UTM, then go Palo Alto.

SonicWall is crap. Sophos and Watchguard are meh.

Same advice here. Avoid UTMs nearly always (there are exceptions, but not that many), but when you need one, the you need one that is really good and that's Palo Alto. These cheesy cheap UTMs just don't cut it. They don't do that much, but cost way too much for what they do.

Can you explain your reasoning a little more in depth? I've had mostly good experience with SonicWall..

Define good experiences. One of the problems with UTMs is that they do things that often have negative outcomes, but seem positive. They are part of what is known as security theater. They encourage false fears, and provide false results that seem to protect you against things that generally aren't really threats. It's very difficult to really find value in them, but it's easy to perceive it.

Not that they have zero value, they can have benefits. But those benefits are generally extremely nominal, while they are costly to acquire and costly to maintain.

Our appliance has protected us from various threats (IDS/IPS, Gateway AV, etc), monitoring and alerting have been nice, firewall configuration is easy, support is really good, etc.

So these are the things that I mean. How do you know that it has protected you from something? The only way to know this is for the UTM to claim it. But that's not a good measure. Those of us without UTMs are generally protected from those same things without having a UTM. So while it's essentially impossible to prove, all evidence suggests that the threats it protected you against aren't real world threats at all. You don't need an IDS or Gateway AV to protect you from them. Your normal every day $100 firewall generally blocks all that stuff already. What it doesn't block, your OS normally does, what it doesn't, the OS AV does. UTMs famously report on all kinds of things we normally ignore because they aren't really threats. That's the security theater we are talking about. Not only do they produce a panic reaction by making your network seem under attack more than it really is, they also make it seem like they are what is protecting you. When in reality, they normally do absolutely nothing of consequence.

Monitoring and alerting is "nice", but how often was it useful? What kind of monitoring are you getting? Our non-UTMs alert to basic stuff, too.

I've worked with SonicWall, if that's what you call easy, you need to check out some other stuff. It's not terrible, but I wouldn't call it good. SonicWalls cost at least double in time to set up compared to lower cost gear. That they are time waster is specifically one of the issues we typically have with them. They require more time and effort than other options. This is generally true for all UTMs, to do what they do, they require more input.

I agree here. You're going to see the utm doing more if it's the first hit. But also, I see so much that the OS and AV blocks that the Utm let's through.

If you just want VLANs, there is no need for more than two ports on your router. You only need more than two ports when you have more than one LAN, not more than one VLAN. So that matters as to whether you need more ports or not.

I don't fully understand where you are coming from here. I have a different VLAN for each different network (LAN).

If you just want VLANs, there is no need for more than two ports on your router. You only need more than two ports when you have more than one LAN, not more than one VLAN. So that matters as to whether you need more ports or not.

I don't fully understand where you are coming from here. I have a different VLAN for each different network (LAN).

I understand the no need for UTM to block stuff as most routers will do it. But what about things like content filtering? How do you block unwanted websites being accesed?

We've been doing this since the dawn of the web, UTMs are newcomers. Squid Proxy is the simplest "on your network" solution. Hosted DNS filters like pi-hole are the simplest "outside your network" solution. All kinds of ways. You can do it with your internal DNS, too. Depends on your goals.

But the first question is always.... does this really serve a business function? Content filtering can be handy, but typically undermines the business. Like most things, there is a time and a place for it, but most companies do it to prove to employees that they control them, not for any business goals.

I understand the no need for UTM to block stuff as most routers will do it. But what about things like content filtering? How do you block unwanted websites being accesed?

Yeah that's something I was wondering too but it really comes down to just another service either through a separate appliance on the edge of the network or role enabled somewhere else such on as end-point AV. We use Trend WFBSS where I work and we can do DNS white-listing through that, but it is ideal to have it at the firewall in the event that some device isn't running the Trend AV agent. So yeah, I would have it on the edge, preferably.

It should never, ever be on the edge. Having it on the edge doesn't provide the peace of mind you are envisioning, that's part of the smoke and mirrors of UTM sales. You don't even need it on your network to get that. It just has to be inline in your web processing pipeline.

Yeah, I understand what you are saying about having each role of the UTM broken out into separate products and that makes sense and I can see how having the option of a system that "does it all" would be appealing to companies. Let's say I wanted to do that. What would I have to do?

The first decision point is.... do you really get value from security features beyond those of a good firewall?

If yes, then which ones specifically?

Then you'd find ways to get those specific features.

BTW, what would be a good firewall anyway? Like every time I look up firewall, all I find is UTM

That's because that's where all of the marketing dollars go. Firewalls aren't things that people really search for anymore. And most people now just call them routers, because in the IT market since the 1990s, all routers are firewalls, and all firewalls are routers, so people sell them randomly as either. The higher end, the more likely to be called a router.

If you just want VLANs, there is no need for more than two ports on your router. You only need more than two ports when you have more than one LAN, not more than one VLAN. So that matters as to whether you need more ports or not.

I don't fully understand where you are coming from here. I have a different VLAN for each different network (LAN).

Are you talking about having sub-interfaces?

VLANs don't require firewall ports. Physical LANs do. You are saying you have VLANs, but saying you need firewall ports for them.

Basically it works this way....

If you have VLANs to separate your LANs, you can do it all on one port.

If you have physical port separation for your LANs, you have no purpose for VLANs.

VLANs or physical separation are both fine for different use cases, neither is a terrible thing, neither is automatically better than the other. But your description of using VLANs and using six ports on your firewall don't seem to fit. In theory, should be one or the other.

I understand the no need for UTM to block stuff as most routers will do it. But what about things like content filtering? How do you block unwanted websites being accesed?

Yeah that's something I was wondering too but it really comes down to just another service either through a separate appliance on the edge of the network or role enabled somewhere else such on as end-point AV. We use Trend WFBSS where I work and we can do DNS white-listing through that, but it is ideal to have it at the firewall in the event that some device isn't running the Trend AV agent. So yeah, I would have it on the edge, preferably.

It should never, ever be on the edge. Having it on the edge doesn't provide the peace of mind you are envisioning, that's part of the smoke and mirrors of UTM sales. You don't even need it on your network to get that. It just has to be inline in your web processing pipeline.

I don't understand why you are saying this. The idea is to have web-filtering/white-listing on the perimeter of the network because that ensures that everything on the network has to pass through it. If we are blocking all porn and gambling categories, then this ensures that nothing in our network will ever get to those sites. It's simple positioning.

And then on this subject, having a UTM is nice because with Sophos, for example, you have systems with agents on them and then you can put users/machines in various groups and apply different web and application white-lists against them.

@dave247 I never recommend a UTM. If you are going to go UTM, then go Palo Alto.

SonicWall is crap. Sophos and Watchguard are meh.

Same advice here. Avoid UTMs nearly always (there are exceptions, but not that many), but when you need one, the you need one that is really good and that's Palo Alto. These cheesy cheap UTMs just don't cut it. They don't do that much, but cost way too much for what they do.

Not disagreeing but I'm looking for some real life examples. Simply saying one is crap or cheap, or better from a top level when others are more expensive or less expensive (I know, price not relevant for quality) doesn't cut it.

What's a real life scenario where SonicWall is crap and Palo alto wins?

Have you ever had to setup a SonicWall? Terrible, time consuming, interface compared to a basic firewall. It takes way longer top figure out what's going on because of all the extra steps compared to a standard firewall/router. I can have a VyOS system up and running in a half hour, with a system anyone else can look at the config and understand what's going on. SonicWall, not so much.

I don't have any experience with PaloAlto, but I'd assume it's along the same lines as SonicWall, just because it had to do all the things.

It's faster for me to setup and configure the needed network services separately than a SonicWall.

I don't understand why you are saying this. The idea is to have web-filtering/white-listing on the perimeter of the network because that ensures that everything on the network has to pass through it.

Because it's a bad place to have it and doesn't provide anything special like you are thinking. Having your proxy in your pipeline provides what you are looking for, having it on the edge doesn't guarantee that any more than having it anywhere else.

You are wanting X and stating Y and are feeling that you get X because of Y but that isn't true. This is why UTMs are selling so well, it's become common to think that they are "how" you do features, but those features are things we've had for decades, and UTMs are new, so it can't possibly be the UTM or the edge placement giving the features.

If you just want VLANs, there is no need for more than two ports on your router. You only need more than two ports when you have more than one LAN, not more than one VLAN. So that matters as to whether you need more ports or not.

I don't fully understand where you are coming from here. I have a different VLAN for each different network (LAN).

Are you talking about having sub-interfaces?

VLANs don't require firewall ports. Physical LANs do. You are saying you have VLANs, but saying you need firewall ports for them.

Basically it works this way....

If you have VLANs to separate your LANs, you can do it all on one port.

If you have physical port separation for your LANs, you have no purpose for VLANs.

VLANs or physical separation are both fine for different use cases, neither is a terrible thing, neither is automatically better than the other. But your description of using VLANs and using six ports on your firewall don't seem to fit. In theory, should be one or the other.

Let me clarify. I have a switch with various trunk ports (from the different VLANs) which run directly to different ports on our SonicWall. Yes, I could run them all through one trunk port on the switch to a single port on the SonicWall with sub-interfaces, but then bandwidth will be limited to a single 1Gbps Ethernet port. Each zone is on it's own VLAN and then we have various firewall rules and policies for those.

And then on this subject, having a UTM is nice because with Sophos, for example, you have systems with agents on them and then you can put users/machines in various groups and apply different web and application white-lists against them.

That's a nice feature of Sophos, granted. But isn't from the UTM. You are perceiving a Sophos feature and thinking that it is caused by it being a UTM, but it is not. Sophos, I believe, does that in their non-UTM products, too. And you can definitely do that with non-UTM products outside of Sophos. That you can do it in a UTM, too, is nice as an add on feature to the UTM, but it doesn't change the fact that the UTM is the "lesser way to do it."

Bottom line, it's impossible for a UTM to be better than alternatives from a performance and security standpoint. Anything you can do in a UTM you can do better without a UTM. All UTM features existed in the enterprise before anyone thought that shoving those features into their router was an acceptable practice.

I don't understand why you are saying this. The idea is to have web-filtering/white-listing on the perimeter of the network because that ensures that everything on the network has to pass through it.

Because it's a bad place to have it and doesn't provide anything special like you are thinking. Having your proxy in your pipeline provides what you are looking for, having it on the edge doesn't guarantee that any more than having it anywhere else.

You are wanting X and stating Y and are feeling that you get X because of Y but that isn't true. This is why UTMs are selling so well, it's become common to think that they are "how" you do features, but those features are things we've had for decades, and UTMs are new, so it can't possibly be the UTM or the edge placement giving the features.

I want to block all possible porn and gambling sites using the lists provided through the SonicWall services and as a result, all porn and gambling websites are blocked.

It seems like you are stuck in the past with how to do things and anything that presents itself as a new way of doing things, you throw a fit about. I understand what you are saying and where you are coming from, but I don't think you are being very reasonable with how apposed you are being to the concept of a UTM.

If you just want VLANs, there is no need for more than two ports on your router. You only need more than two ports when you have more than one LAN, not more than one VLAN. So that matters as to whether you need more ports or not.

I don't fully understand where you are coming from here. I have a different VLAN for each different network (LAN).

Are you talking about having sub-interfaces?

VLANs don't require firewall ports. Physical LANs do. You are saying you have VLANs, but saying you need firewall ports for them.

Basically it works this way....

If you have VLANs to separate your LANs, you can do it all on one port.

If you have physical port separation for your LANs, you have no purpose for VLANs.

VLANs or physical separation are both fine for different use cases, neither is a terrible thing, neither is automatically better than the other. But your description of using VLANs and using six ports on your firewall don't seem to fit. In theory, should be one or the other.

Let me clarify. I have a switch with various trunk ports (from the different VLANs) which run directly to different ports on our SonicWall. Yes, I could run them all through one trunk port on the switch to a single port on the SonicWall with sub-interfaces, but then bandwidth will be limited to a single 1Gbps Ethernet port. Each zone is on it's own VLAN and then we have various firewall rules and policies for those.

That's a weird way to do it. What you would normally want is...

To move to a firewall with a faster interface that can handle your desired workload.

Use the L3 switch for the ACLs, not the firewall, that's why these exist in the first place. If you have an L3 switch and are doing this, you are missing why you paid for the L3 switch.

Use trunking to the firewall instead of individual ports for each VLAN.

One of those three, #2 preferably.

Now given how many VLANs you have, I'd recommend a thread to talk about if they are needed. Rule of thumb is that you want to avoid VLANs when possible. If you have devices that need to talk across VLANs, this pretty much tells you that the VLANs aren't right for your needs. There are loads of cases for VLANs, but most places do them when they are not needed and an unneeded VLAN means performance and management overhead that is just wasted resources.

Of course, VLANs become smart when you have more than 2-4K devices on a single subnet.

It seems like you are stuck in the past with how to do things and anything that presents itself as a new way of doing things, you throw a fit about. I understand what you are saying and where you are coming from, but I don't think you are being very reasonable with how apposed you are being to the concept of a UTM.

So let me ask you, do you feel that Windows SBS server, where all functions are crammed into a single device rather than being separated out into individual VMs, is smart? Because that was a big trend fifteen years ago, make it "simple" for IT shops that "didn't get it" and it was crap. Performance was crap, stability was crap, everyone who was "stuck in the old ways" laughed at them for being caught up in marketing and hype and not thinking through what they were doing, and eventually the model showed to be so ridiculous that even MS discontinued it.

UTMs require you to do things in a fundamentally unreliable and expensive way. Router hardware is not as reliable, cheap, or performant as your server infrastructure. But it makes loads of money for the VARs and networking companies.

What you see as "stuck in the old ways", we see as "understanding how it works." UTMs aren't a new idea, they are just new on the market. It's a new way to trick people into spending too much (thanks to security theater and security being too confusing for most shops) with by fancy terms and marketing blitzes and hoping that people buying them don't know the history or realize that all of that functionality is something we've had access to, and been doing better for a long time.

Remember, UTMs aren't new, thinking that UTMs are a good idea is new. That's a huge difference.

It's one of the current "buzz words" in IT. Like SAN was ten years ago. Took a few years of fighting, now everyone knows how ridiculous, costly, and risky that trend was. But for many years there, those of us pushing hyperconvergence (the "old" way) were laughed at for not doing what was "new", which neither thing was new.

Then hyperconvergence got the marketing and now it is seen as "new", even though we were pushing it before SANs were popular.

I don't understand why you are saying this. The idea is to have web-filtering/white-listing on the perimeter of the network because that ensures that everything on the network has to pass through it.

Because it's a bad place to have it and doesn't provide anything special like you are thinking. Having your proxy in your pipeline provides what you are looking for, having it on the edge doesn't guarantee that any more than having it anywhere else.

You are wanting X and stating Y and are feeling that you get X because of Y but that isn't true. This is why UTMs are selling so well, it's become common to think that they are "how" you do features, but those features are things we've had for decades, and UTMs are new, so it can't possibly be the UTM or the edge placement giving the features.

The reason I have seen personally that some managers want a UTM is because they want that all in one system so they don't have to worry about multiple separate pieces, want the paid support, and don't understand how it's actually less secure, but want someone else to blame if things go bad.

I want to block all possible porn and gambling sites using the lists provided through the SonicWall services and as a result, all porn and gambling websites are blocked.

And? I can do all of that without a SonicWall or a UTM. No one is saying you can't do it poorly with a UTM, we are just saying it's not the only, or the best, way to do it.

You're diverting again. This was a sub-response about you saying you never put it on the edge. I explained why and then you are back to the UTM argument.

Right, you shouldn't put it on the edge. You didn't explain why at all. That you think that you did shows that you aren't understanding.

By putting it on the edge it was more costly, and less reliable. So in your example, you feel that you showed why you should do it, but I see it as showing why you shouldn't because you got not features or benefits from placing it at the edge, only caveats.

I don't understand why you are saying this. The idea is to have web-filtering/white-listing on the perimeter of the network because that ensures that everything on the network has to pass through it.

Because it's a bad place to have it and doesn't provide anything special like you are thinking. Having your proxy in your pipeline provides what you are looking for, having it on the edge doesn't guarantee that any more than having it anywhere else.

You are wanting X and stating Y and are feeling that you get X because of Y but that isn't true. This is why UTMs are selling so well, it's become common to think that they are "how" you do features, but those features are things we've had for decades, and UTMs are new, so it can't possibly be the UTM or the edge placement giving the features.

The reason I have seen personally that some managers want a UTM is because they want that all in one system so they don't have to worry about multiple separate pieces, want the paid support, and don't understand how it's actually less secure, but want someone else to blame if things go bad.

That's what they said about SBS. "Managers" who don't understand IT stuff and go from airport marketing blitzes do these crazy things because they don't understand cost, best practices, common sense, workload separation, etc.

It's part of the trick of "bundling" that is one of the "predictably irrational" ways that you can manipulate buyers. Buyers perceived bundled products are cheaper and better, even when logic says that they are not. It's similar to the "three option" sales trick, even when you tell someone you are going to do it to them, the trick is so strong that even Harvard MBA students being prepped for it, mostly fall for it anyway.

Bundling is one of those things that IT needs to protect businesses against, because non-technical managers have effectively no defense against it except for deferring decision making to the people who know the stuff. But truly, any manager choosing the tech is incompetent beyond belief, because the one thing he knows for sure, is that he isn't qualified to make the decision.

I don't understand why you are saying this. The idea is to have web-filtering/white-listing on the perimeter of the network because that ensures that everything on the network has to pass through it.

Because it's a bad place to have it and doesn't provide anything special like you are thinking. Having your proxy in your pipeline provides what you are looking for, having it on the edge doesn't guarantee that any more than having it anywhere else.

You are wanting X and stating Y and are feeling that you get X because of Y but that isn't true. This is why UTMs are selling so well, it's become common to think that they are "how" you do features, but those features are things we've had for decades, and UTMs are new, so it can't possibly be the UTM or the edge placement giving the features.

The reason I have seen personally that some managers want a UTM is because they want that all in one system so they don't have to worry about multiple separate pieces, want the paid support, and don't understand how it's actually less secure, but want someone else to blame if things go bad.

That's what they said about SBS. "Managers" who don't understand IT stuff and go from airport marketing blitzes do these crazy things because they don't understand cost, best practices, common sense, workload separation, etc.

It's part of the trick of "bundling" that is one of the "predictably irrational" ways that you can manipulate buyers. Buyers perceived bundled products are cheaper and better, even when logic says that they are not. It's similar to the "three option" sales trick, even when you tell someone you are going to do it to them, the trick is so strong that even Harvard MBA students being prepped for it, mostly fall for it anyway.

Bundling is one of those things that IT needs to protect businesses against, because non-technical managers have effectively no defense against it except for deferring decision making to the people who know the stuff. But truly, any manager choosing the tech is incompetent beyond belief, because the one thing he knows for sure, is that he isn't qualified to make the decision.